Cyber Spying Justice: Unserved

After toothless FTC judgment against rent-to-own PC companies in spying case, Congress needs to make surveillance of customers in their own homes illegal.

Was the punishment meted out to seven rent-to-own businesses that literally spied on their customers--via webcam footage, browser screen-grabs, and location-tracking technology, courtesy of surveillance software known as PC Rental Agent--sufficient?

Well, punishment is too strong a word. All seven businesses, together with the two principals of software development firm DesignerWare, which created PC Rental Agent, recently agreed to settle--without admitting or denying any wrongdoing--a Federal Trade Commission complaint made against them. The settlements impose two requirements: the businesses have agreed to never spy on customers, and they must keep records to document their compliance for the next 20 years.

In other words, despite rent-to-own businesses having literally spied on their customers at will, catching them in what the FTC described as "intimate moments," the businesses' managers and offending employees are getting off with a slap on the wrist.

For this case, it's not the first time that justice hasn't been served or consumer privacy rights clearly protected. To briefly recap, Wyoming-based couple Crystal and Bryan Byrd last year had filed a class action lawsuit against DesignerWare, as well as rent-to-own businesses Aaron's and Aaron's franchisee Aspen Way. (DesignerWare and Aspen Way were also named in the FTC complaint.) Their suit was triggered by an Aspen Way store manager showing them a picture of Bryan Byrd that had been surreptitiously taken with the couple's rent-to-own PC's webcam by store employees, who believed--wrongly--that the couple had missed a payment, which would have allowed Aspen Way to repossess it.

The Byrds' lawsuit alleged that customers' privacy rights--as well as federal wiretapping laws and the Computer Fraud and Abuse Act--had been violated. Furthermore, since the PC Rental Agent software was installed on numerous PCs, they requested that the federal judge overseeing the case immediately block any further use of the software to spy on employees.

But the presiding judge "declined to issue an injunction," recounts "Dissent," which is the handle of the privacy advocate and data breach information blogger who maintains DataBreaches.net, and who's been following this case since last year. That was despite a DesignerWare principal telling the court that in the prior six months, the software had been installed on 92,000 PCs. Instead, U.S. District Court judge Sean McLaughlin and U.S. magistrate Susan Baxter found that "it is purely conjecture that the other members of the putative class will be subjected to remote access of personal information," and questioned the merits of the case.

To summarize: Rent-to-own businesses can spy on their customers at will, and without the threat of any penalties, at least until after the first time they're caught. Furthermore, a federal judge doesn't think that giving a business the ability to surreptitiously record webcam footage of its customers--or perhaps their children--in their homes, and in various states of undress, or capture their keystrokes, or screen-grab copies of their bank statements, is obviously illegal.

When I first saw the FTC's cyber-spying case settlement, my reaction was: Surely the FTC could have done more, such as fining the companies involved? But as Dissent told me, and an FTC spokeswoman and others confirmed, the FTC isn't authorized to fine first-time offenders.

"Unfortunately, the FTC Act does not give the commission the authority to issue fines for initial violations of the Act," David Jacobs, consumer protection fellow at the Electronic Privacy Information Center, told me via email. "What the FTC can do is enter into consent agreements with the violator that basically say 'don't do that again.'"

On the upside, businesses that agree to a settlement must then toe the line--or else. "If the agreement is breached, then the FTC can issue fines," Jacobs says. "This is what the FTC did in the case of Google: entered into a consent agreement requiring Google to follow certain rules, and then fined the company $22.5 million when they breached the agreement."

If the outcome of the FTC's settlement with the seven rent-to-own businesses and DesignerWare seems lacking, justice may yet be served. For starters, the FTC can refer any case to the Department of Justice for potential criminal prosecution. Did the agency do so in this cyber spying case? When I put that question to an FTC spokeswoman, she declined to comment.

Furthermore, the class action lawsuit and state investigations appear to have already driven DesignerWare out of business. As InformationWeek first reported, DesignerWare is the subject of an active investigation by the Florida Attorney General's office. In addition, the company's March 2012 bankruptcy filing by its two owners suggested that the company was also being investigated by attorneys general in California and Texas.

Bankrupt surveillance software developers aside, one takeaway from this cyber-spying case is clear: Pending legal changes, avoid rent-to-own PC businesses at all costs. Or if you simply must work with one, don't do anything in the presence of your PC that you wouldn't do in public, and avoid using it to conduct Internet banking or relay any personal or sensitive communications.

Takeaway number two involves this memo to Congress and state legislators: Please make spying on consumers, especially in their own homes, clearly illegal. And Congress, give the FTC--which, it must be said, has in recent weeks scored some great wins against scareware artists and telemarketing scammers--the power to penalize businesses and individuals who flagrantly violate consumers' privacy rights.

The outcome should be frightening to anyone. I guess the next logical step is placement of cameras in dressing rooms and public toilets in commercial clothing outlets where pilferage is a realistic problem? Allowing the type of spying described should be considered equivalent. A good idea not to identify this "presiding judge" to protect his/her privacy. Sometimes, you just have to think multitasking (the judge obviously was) is not for everyone.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.